> A good thing would be to (for each distro) somehow document what is normal on a default installation (if such exists). There's really no such thing as a default install. Every response you make when you install makes your install different from someone else's, even if you take the defaults as much as possible. What you seem to want might be satisfied by running aide or tripwire after an install but before you ever plugged in your ethernet cable or allowed wireless to connect. This would work better if you already had all your update rpms downloaded and available locally, since if you use the net to update the install your system will no longer look much like the baseline you established. But these only track files, not open ports, running processes, etc. And if the intruder knows where you're looking, they can put their stuff somewhere else. I've been dabbling with tripwire and aide, running yum update always makes life difficult. Update gnome or something else big and tripwire will report every file that changed. That's what we asked for, but it is info overload for sure. And tripwire is kind of a headache to learn and set up. >there're quite a lot rootkits that look for the those anti-rootkits, and if they found >them the I'd patch then in order to do not show themselves in the results. Any security measure has its countermeasure. That doesn't mean they're useless. suerta, Dave
